Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Published byLauren Doherty Modified over 10 years ago

Similar presentations

Presentation on theme: "Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition."— Presentation transcript:

1 Model Checking Lecture 3

2 Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition relation : S PL(A) where the formulas of PL are ::= a | | for a A

3 Specification Omega Automata Syntax as for finite automata, in addition the following acceptance condition: Buchi:BA S

4 Language L(M) of specification omega-automaton M = (S, S 0,,, BA ) : infinite trace t 0, t 1,... L(M) iff there exists an infinite run s 0 s 1... of M such that 1. s 0 s 1... satisfies BA 2. for all i 0, t i |= (s i )

5 Let Inf(s) = { p | p = s i for infinitely many i }. The infinite run s satisfies the acceptance condition BA iff Inf(s) BA

6 (K,q) |= L M iff L(K,q) L(M) Linear semantics of specification omega automata: omega-language containment infinite traces

7 Response specification automaton : (a b) assuming (a b) = false a b b a s1s1 s2s2 s3s3 s0s0 Buchi condition { s 0, s 3 }

8 Response monitor automaton : (a b) assuming (a b) = false a b s1s1 s2s2 Buchi condition { s 2 } s0s0 true

9 Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking 3Symbolic algorithms for model checking 4Pushdown systems

10 Model-Checking Algorithms = Graph Algorithms

11 1Safety: -solve: finite monitors ( emptiness) -algorithm: reachability (linear) 2Liveness: -solve: Buchi monitors ( emptiness) -algorithm: strongly connected components (linear) We will talk about STL and CTL model checking later.

12 From specification automata to monitor automata: determinization (exponential) + complementation (easy) From LTL to monitor automata: complementation (easy) + tableau construction (exponential)

13 Algorithms 1Reachability 2Strongly connected components 3Tableau construction

14 Finite Emptiness Given: finite automaton (S, S 0,,, FA) Find: is there a path from a state in S 0 to a state in FA ?

15 Fix a set A of atomic observations

16 State-transition graph K Q set of states Q Q transition relation [ ]: Q 2 A observation function

17 Monitor automaton M Sfinite set of states S 0 Sset of initial states S S transition relation E Sset of final states : S PL(A) where the formulas of PL are ::= a | | for a A

18 (K,q) |= C M iff L(K,q) L(M) = We construct another monitor automaton M such that L(M) = L(K,q) L(M) S = {(q,s) Q S | [q] |= (s)} finite set of states ({q} S 0 ) S set of initial states (q,s) (q,s) transition relation iff q q and s s (Q E) Sset of final states : S PL(A)labeling function (q,s) = conjunction of atomic observations in [q] and negated atomic observations not in [q] languages over finite traces

19 Finite Emptiness Given: monitor automaton (S, S 0,,, E) Find: is there a path from a state in S 0 to a state in E ? Solution: depth-first or breadth-first search

20 dfs(s) { if (s E) then report error add s to dfsTable for each successor t of s if (t dfsTable) then dfs(t) }

21 Buchi Emptiness Given: Buchi automaton (S, S 0,,, BA) Find: is there an infinite path from a state in S 0 that visits some state in BA infinitely often ?

22 Monitor Buchi automaton M Sfinite set of states S 0 Sset of initial states S S transition relation BA Sacceptance condition : S PL(A) where the formulas of PL are ::= a | | for a A

23 (K,q) |= C M iff L(K,q) L(M) = We construct another monitor Buchi automaton M such that L(M) = L(K,q) L(M) S = {(q,s) Q S | [q] |= (s)} finite set of states ({q} S 0 ) S set of initial states (q,s) (q,s) transition relation iff q q and s s (Q BA) Sacceptance condition : S PL(A)labeling function (q,s) = conjunction of atomic observations in [q] and negated atomic observations not in [q] languages over infinite traces

24 Buchi Emptiness Given: Buchi automaton (S, S 0,,, BA) Find: is there an infinite path from a state in S 0 that visits some state in BA infinitely often ? Solution: 1. Compute SCC graph by depth-first search 2. Mark SCC C as fair iff C BA 3. Check if some fair SCC is reachable from S 0

25 Complexity n number of states m number of transitions Reachability:O(n+m) SCC:O(n+m)

26 Buchi emptiness Two algorithms for SCC computation –forward and backward DFS –forward HI-LO algorithm Storing SCCs requires lot of memory Nested DFS –checks Buchi emptiness without explicitly computing SCCs

27 dfs(s) { add s to dfsTable for each successor t of s if (t dfsTable) then dfs(t) if (s BA) then { seed := s; ndfs(s) } } ndfs(s) { add s to ndfsTable for each successor t of s if (t ndfsTable) then ndfs(t) else if (t = seed) then report error }

28 Multi-Buchi Emptiness Given: Multi-Buchi automaton (S, S 0,,, BA 1, …, BA n ) Find: is there an infinite path from a state in S 0 that infinitely often visits some state in BA i for all i such that 1 i n ? Solution: 1. Compute SCC graph by depth-first search 2. Mark SCC C as fair iff C BA i for all i such that 1 i n. 3. Check if some fair SCC is reachable from S 0

29 Tableau Construction Given:LTL formula Find: Multi-Buchi automaton M such that L(M ) = L( ) [Fischer & Ladner 1975; Manna & Wolper 1982] monitors subformulas of

30 , ::= a | a | | | | U | W ( ) = ( ) = ( ) ( U ) = ( W ) ( W )=( U ) Negation normal form

31 Fischer-Ladner Closure of a Formula Sub (a)= { a, a } Sub ( )={ } Sub ( ) Sub ( ) Sub ( )={ } Sub ( ) Sub ( U )={ U, ( U ) } Sub ( ) Sub ( ) Sub ( W )={ W, ( W ) } Sub ( ) Sub ( ) | Sub ( ) | = O(| |)

32 s Sub ( ) is consistent iff -for all atomic propositions a ( a) s iff a s -if ( ) Sub ( ) then ( ) s iff s and s -if ( ) Sub ( ) then ( ) s iff either s or s -if ( U ) Sub ( ) then ( U ) s iff either s or s and ( U ) s -if ( W ) Sub ( ) then ( W ) s iff either s or s and ( W ) s

33 Fischer-Ladner Closure of a Formula … Sub ( )={, } Sub ( )

34 s Sub ( ) is consistent iff … -if ( ) Sub ( ) then ( ) s iff either s or s -if ( ) Sub ( ) then ( ) s iff s and s

35 Tableau M = (S, S 0,,, BA 1,…,BA n ) S...set of consistent subsets of Sub ( ) s S 0 iff s s t iff for all ( ) Sub ( ), if ( ) s then t (s)... conjunction of atomic observations in s and negated atomic observations not in s There is an acceptance condition - for each ( U ) Sub ( ) given by { s | s or ( U ) s } - for each ( ) Sub ( ) given by { s | s or ( ) s }

36 Size of M is O(2 | | ). LTL model checking:PSPACE-complete

Download ppt "Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition."

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Avoiding Determinization Orna Kupferman Hebrew University Joint work with Moshe Vardi.

Avoiding Determinization Orna Kupferman Hebrew University Joint work with Moshe Vardi.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Model Checking and Testing combined

Model Checking and Testing combined
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)

Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Clocked Mazurkiewicz Traces and Partial Order Reductions for Timed Automata D. Lugiez, P. Niebert, S. Zennou Laboratoire d Informatique Fondamentale de.

Clocked Mazurkiewicz Traces and Partial Order Reductions for Timed Automata D. Lugiez, P. Niebert, S. Zennou Laboratoire d Informatique Fondamentale de.
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Part 3: Safety and liveness

Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
Pushdown Systems Koushik Sen EECS, UC Berkeley Slide Source: Sanjit A. Seshia.

Pushdown Systems Koushik Sen EECS, UC Berkeley Slide Source: Sanjit A. Seshia.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.

 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.

Similar presentations

Ads by Google